How to use basic auth on all domains and add exception to one with a path?

I have some domains and want to use basic auth on them.
Here is my relevant part of docker-compose.yml:

      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.staging-http.rule=
          Host(`domain-1.staging.tld`) ||
          Host(`domain-2.staging.tld`) ||
          Host(`domain-3.staging.tld`) ||
          Host(`domain-4.staging.tld`) ||
          Host(`domain-5.staging.tld`) ||
          Host(`domain-6.staging.tld`) ||
          Host(`domain-7.staging.tld`)"
        - "traefik.http.routers.staging-http.entrypoints=http"
        - "traefik.http.routers.staging-http.service=staging"
        - "traefik.http.routers.staging-http.middlewares=https-redirect@file"
        - "traefik.http.routers.staging.rule=
          Host(`domain-1.staging.tld`) ||
          Host(`domain-2.staging.tld`) ||
          Host(`domain-3.staging.tld`) ||
          Host(`domain-4.staging.tld`) ||
          Host(`domain-5.staging.tld`) ||
          Host(`domain-6.staging.tld`) ||
          Host(`domain-7.staging.tld`)"
        - "traefik.http.routers.staging.entrypoints=https"
        - "traefik.http.routers.staging.service=staging"
        - "traefik.http.routers.staging.middlewares=basic-auth@file,https-redirect@file"
        - "traefik.http.routers.staging.tls=true"
        - "traefik.http.routers.staging.tls.certresolver=letsencrypt"
        - "traefik.http.routers.staging.tls.options=default"
        - "traefik.http.routers.staging-no-auth.rule=(Host(`domain-7.staging.tld`) && PathPrefix(`/api/`))"
        - "traefik.http.routers.staging-no-auth.entrypoints=http,https"
        - "traefik.http.services.staging.loadbalancer.server.port=80"
        - "traefik.http.services.staging.loadbalancer.passhostheader=true"

So, I would like to use basic auth for all of my staging sites but I would like to add an exception for domain-7.staging.tld on path "/api/*".

How can I do that? What's wrong with my config?

Thanks!

You don't have a problem description here. What is working/not working. What are the expected vs actual results.

FYI I would create this deployment like the below, for a couple of users I'd create the basic-auth middleware in docker labels, otherwise I'd use the file.

version: "3.8"

services:
  traefik:
    image: "traefik:v2.5"
    command:
    - --entrypoints.web.address=:80
    - --entrypoints.web.http.redirections.entrypoint.to=websecure
    - --entrypoints.web.http.redirections.entrypoint.permanent=true
    - --entrypoints.websecure.address=:443
    - --entrypoints.websecure.http.tls=true
    - --providers.docker=true
    - --providers.docker.exposedbydefault=false
    - --providers.file.filename=/dynamic.yaml
    - --accesslog
    - --accesslog.format=json
    - --api
    - --log.format=json
    labels:
      traefik.enable: "true"
      traefik.http.routers.api.rule: Host(`traefik.localhost`)
      traefik.http.routers.api.service: api@internal

    ports:
      - published: 80
        target: 80
      - published: 443
        target: 443
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./dynamic.yaml:/dynamic.yaml"
  whoami:
    image: traefik/whoami
    labels:
      traefik.enable: "true"
      traefik.docker.network: proxy
      traefik.http.routers.staging.rule: HostRegexp(`{sub:domain-[0-9]+}.staging.tld`)
      traefik.http.routers.staging.middlewares: basic-auth@file
      traefik.http.routers.staging-no-auth.rule: Host(`domain-7.staging.tld`) && PathPrefix(`/api/`)
      # if this rule was lower priority then the staging rule(as it was with the multiple OR )
      # traefik.http.routers.staging-no-auth.priority: 300

http:
  middlewares:
    basic-auth:
      basicauth:
        users:
        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"

When I set this up I did think you might be running into the rule priority order, I left the fix for that as a comment in the docker-compose.